When does the DPDP Act actually take effect?

The Digital Personal Data Protection Act, 2023 received Presidential assent on 11 August 2023 and was notified in stages. The Rules under the Act were notified in 2025; as of 2026 the framework is operational. The Data Protection Board of India (DPB) is constituted and accepting complaints. Your Bangalore company has DPDP obligations now ; treating it as a 2027-or-later concern is a risk both regulatory and reputational.

What is a Data Fiduciary, and is my company one?

A Data Fiduciary under the DPDP Act is any person (including a company) that determines the purpose and means of processing personal data. If you collect personal data of Indian individuals — employees, customers, leads, prospects — you are a Data Fiduciary. The threshold is "do you make decisions about how personal data is used?" not "do you primarily handle personal data?" — almost every Bangalore B2B and B2C company is a Data Fiduciary.

What is a Significant Data Fiduciary, and how do I know if I qualify?

A Significant Data Fiduciary (SDF) is a Data Fiduciary that the Central Government notifies as such, based on factors including volume and sensitivity of personal data processed, risk to data principals, potential impact on India’s sovereignty / integrity / electoral democracy, public order, and cybersecurity. SDFs have additional obligations — DPO appointment, DPIA, audits, algorithmic transparency. The notification has been criteria-based; large consumer platforms, e-commerce companies above thresholds, fintech aggregators, and significant-volume HealthTech / EdTech players are typical SDF candidates. We help you assess whether you meet the criteria and prepare the additional obligations if you do.

How is DPDP different from GDPR?

Three significant differences. First , DPDP applies only to digital personal data (electronic format) — paper records are out of scope; GDPR covers both. Second , DPDP’s lawful bases for processing are narrower: consent and certain "legitimate uses" (employment-related, public-interest, fairness purposes); GDPR has six lawful bases including legitimate interests. Third , DPDP introduces the Consent Manager — a regulated intermediary entity that allows users to manage consent across multiple Data Fiduciaries; GDPR has no equivalent. DPDP penalties are also structured differently (per-breach maxima specified in Schedule rather than turnover-based).

What is a DPIA and when do I need one?

A Data Protection Impact Assessment (DPIA) is a written assessment of the impact of a planned processing activity on the rights of data principals. Under DPDP, DPIA is mandatory for Significant Data Fiduciaries. Best practice for non-SDFs is to conduct DPIA for any new high-risk processing — large-scale profiling, automated decision-making, processing of children’s data, processing of sensitive financial / health data. Our engagement produces DPIA templates customised to your processing activities and trains your team to operate them.

Where can our consent be stored — must we use a Consent Manager?

Use of a Consent Manager is optional but increasingly expected for high-volume consumer-facing platforms. The Consent Manager framework is operationalised under the DPDP Rules; the most-prominent live entities include Sahamati (financial-data consent under Account Aggregator), DigiLocker (government data), and the consent gateway extensions to UIDAI Aadhaar consent. For non-Consent-Manager flows, you can store consent in your own systems provided you meet the format and durability requirements specified in the Rules — we help you design the consent record format, retention, and revocation workflow.

Do data principal rights apply to my B2B SaaS where my customer is a company?

Data principals are individuals, not companies. But your B2B SaaS likely processes the personal data of your customer’s employees and end-users — those are data principals with rights. The relationship is layered: your customer is the Data Fiduciary, you are the Data Processor on their behalf. Your obligations are governed by your contract with your customer (which must contain DPDP-compliant terms) plus the Act’s direct obligations on Data Processors. We map this for you in the engagement.

Can we transfer data outside India for processing — to AWS US-East, Snowflake, Stripe, etc.?

Yes, with restrictions. The DPDP Act permits cross-border transfer to any country except those notified by the Central Government as restricted. As of 2026, the restricted-country list is short and excludes most Western jurisdictions. The practical implication for a typical Bangalore SaaS company is that AWS / Azure / GCP regions in the US, EU, Singapore, and Australia remain available; some specifically-notified jurisdictions are not. Our engagement assesses your cross-border data flows and documents the residency / transfer compliance.

What are the penalties for non-compliance?

The DPDP Act provides for penalties in the Schedule. Material penalties include: failure to take reasonable security safeguards (up to ₹250 crore per breach), failure to notify breach (up to ₹200 crore), additional obligations of SDFs (up to ₹150 crore), failure to fulfil child-data obligations (up to ₹200 crore), and breach of any provision (up to ₹50 crore). Penalties are imposed by the Data Protection Board after due process. The headline figures are higher than equivalent provisions in many sectoral regulations and have prompted significant enforcement attention.

How long does a DPDP compliance engagement take?

Standard engagement is 8–10 weeks for a typical Bangalore B2B SaaS or B2C consumer company. SDF engagements with audit and DPIA obligations are 12–14 weeks. Greenfield engagements (where there is no current data inventory) take longer because the inventory phase alone is 2–3 weeks of cross-functional discovery.

DPDP Act 2023 Compliance Consulting Bangalore

India’s Digital Personal Data Protection Act, 2023 is the country’s first comprehensive horizontal data-protection law. The Act, the Rules notified in 2025, and the operational presence of the Data Protection Board of India have created a real compliance regime that Bangalore companies are now responsible for navigating. The substance is closer to the EU’s GDPR than to the older Section 43A / SPDI Rules approach — there are data principal rights, consent architecture, breach notification, accountability obligations, cross-border transfer rules, and material penalties — but the Indian approach has its own structural characteristics: the Consent Manager intermediary, the Significant Data Fiduciary classification with additional obligations, and the explicit cross-border country list. This page describes the engagement model for getting a Bangalore Data Fiduciary into operational compliance.

What the DPDP Act actually says

The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023) governs the processing of digital personal data within India and the processing of digital personal data of individuals in India by entities outside India where the processing is in connection with offering goods or services to those individuals. The Act applies to digital personal data only — analogue or paper records are outside scope.

The structural elements:

Data Principal — the individual whose personal data is processed
Data Fiduciary — the entity that determines the purpose and means of processing
Data Processor — the entity that processes data on behalf of a Data Fiduciary
Significant Data Fiduciary (SDF) — a Data Fiduciary notified as such, with additional obligations
Consent — the primary lawful basis, with strict format and revocation requirements
Legitimate Uses — defined exceptions where consent is not required (employment, certain public interest, fairness purposes, etc.)
Data Principal Rights — access, correction, erasure, grievance redressal, nomination
Consent Manager — regulated intermediary for consent management
Cross-border transfer — permitted to countries not on the restricted list
Data Protection Board of India — adjudicating authority

Who in Bangalore is affected

The short answer is "every Bangalore company processing personal data of Indian individuals." The longer answer breaks the population into specific categories with specific obligations:

B2C consumer products

HealthTech, EdTech, FinTech consumer apps, e-commerce, social platforms, content / media platforms. Direct relationship with data principals; full obligation set including consent, data principal rights, breach notification, retention. Highest-volume data principal interactions.

B2B SaaS

Data Fiduciary for employee, customer-employee, and lead data. Data Processor for customer-data processing on behalf of customer Data Fiduciaries. Obligations under both roles.

BFSI, healthcare, telecom

Sectoral regulators (RBI, IRDAI, SEBI, MoHFW, TRAI, DoT) have their own data-protection regimes that interact with DPDP. The DPDP obligations layer on top of the sectoral; conflicts are resolved per the Act’s harmonisation provisions.

Employers

All employers are Data Fiduciaries for employee personal data. Most "legitimate use" exceptions apply to employment processing, but data principal rights still apply.

Government and public-sector technology vendors

Vendors processing personal data on behalf of government Data Fiduciaries are Data Processors with the obligations of that role.

Data Fiduciary, SDF, Data Processor

The three roles have different obligation sets.

Data Fiduciary obligations

Lawful processing (consent or legitimate use), notice to data principals, security safeguards, breach notification, data principal rights fulfilment, retention limits, accuracy, accountability, and grievance officer designation.

Data Processor obligations

Processing only as instructed by the Data Fiduciary, security safeguards, contractual obligations passed through to sub-processors, breach notification to the Data Fiduciary.

Significant Data Fiduciary additional obligations

Data Protection Officer (DPO) appointment with specific qualifications and reporting line, periodic Data Protection Impact Assessments (DPIAs), independent data audits, additional algorithmic transparency obligations for material decisions affecting data principals.

Data principal rights workflow

The DPDP Act establishes specific rights for data principals that Data Fiduciaries must operationalise:

Right to Information about Personal Data — summary of personal data processed, processing activities, sharing
Right to Correction and Erasure — request correction, completion, updating, or erasure
Right to Grievance Redressal — internal grievance officer with defined response timeline
Right to Nominate — nominate another individual to exercise rights in event of death or incapacity

The workflow has to be operational, not just documented. Our engagement implements: a request-intake mechanism (form, email, in-app workflow), an identity-verification process (to ensure the requester is the data principal), a fulfilment workflow (request routed to the right team, response prepared, delivered within DPDP-specified timeline), and a record-keeping system (we maintained the request log for the audit trail). Most Bangalore implementations integrate with existing CRM / support systems rather than running a separate DPDP portal.

Consent under the DPDP Act has specific format requirements: free, specific, informed, unconditional, unambiguous, given by clear affirmative action, signifying agreement to the processing of personal data for the specified purpose, limited to such personal data as is necessary for that specified purpose. Bundled consent (where agreement to one use signals agreement to multiple unrelated uses) is invalid.

The Consent Manager framework allows data principals to manage their consent across multiple Data Fiduciaries through a single interface. Live Consent Managers as of 2026 include Sahamati (operating the Account Aggregator framework for financial data), DigiLocker (government documents), and several emerging private-sector Consent Managers.

Most Bangalore Data Fiduciaries do not need to integrate with an external Consent Manager — internal consent management is permitted provided the format and audit-trail requirements are met. We design the consent flow, the consent record, the revocation workflow, and the audit-trail format. For B2C consumer apps with high data principal volume and frequent regulator scrutiny, integration with one or more Consent Managers is recommended.

Significant Data Fiduciary obligations

If you are notified as an SDF (or assess yourself as meeting the criteria), the additional obligations:

Data Protection Officer

The DPO must be a senior employee with information-protection responsibility, must be based in India, must be the contact point for data principals and the Data Protection Board, and must report to the Board of Directors. Some companies hire externally for the role; others designate an existing senior officer. The role is more substantive than a "compliance officer" and resembles the GDPR DPO obligation.

Periodic DPIA

Data Protection Impact Assessment for high-risk processing activities. Format requirements specified in the Rules. Output: a written DPIA document with risk assessment, mitigation plan, and DPO sign-off. Frequency: typically annual plus on initiation of significant new processing activities.

Independent data audit

Annual independent audit of compliance with the Act. The auditor must be independent of the SDF and qualified per Rules. We are engaged as the independent data auditor for several SDF candidates; the audit is a separate engagement from compliance implementation.

Algorithmic transparency

For SDFs using automated decision-making affecting data principals, additional transparency obligations apply. The detail is being clarified in subsequent Rules / guidance; we track the regulatory development.

Cross-border data transfer

Cross-border transfer of personal data is permitted to countries except those notified as restricted by the Central Government. As of 2026, the restricted-country list is short and excludes most Western jurisdictions; the practical effect is that AWS US-East, Azure West Europe, GCP Iowa, and most popular SaaS infrastructure remains available. The list is reviewed periodically; we monitor changes.

For SDFs and for any Data Fiduciary that wants the strongest position, in-country processing (AWS Mumbai, Azure Central India, GCP Mumbai or Delhi) is the simplest answer. Sectoral regulators (RBI for payment data; SEBI for securities-market data; specific Government departments) impose their own residency requirements that override DPDP’s permissive position.

Eight-to-ten week engagement roadmap

Weeks 1–2 · Data inventory

Cross-functional discovery to map personal data flows. We meet engineering, product, marketing, sales, customer success, HR, finance, legal. Output: a personal data inventory documenting what is collected, why, where it lives, who has access, with whom it is shared, and how long it is retained.

Weeks 3–4 · Lawful-basis mapping

For each processing activity in the inventory, identify the lawful basis (consent vs which legitimate use). Identify gaps — processing activities without a clear lawful basis go into the remediation backlog.

Week 5 · Notice and consent

Draft DPDP-compliant notices for each data principal interaction. Design the consent flows for cases requiring consent. Implement consent records and revocation workflow.

Week 6 · Data principal rights workflow

Implement the request-intake, identity-verification, fulfilment, and record-keeping workflow.

Week 7 · Security safeguards and breach response

Map existing security controls to DPDP’s "reasonable security safeguards" requirement. Implement breach-detection and notification workflow (72-hour clock to the Data Protection Board for material breaches; immediate to affected data principals where required).

Week 8 · Vendor and processor agreements

Update vendor contracts with DPDP-compliant data-processor terms. Identify cross-border transfer compliance for each vendor.

Weeks 9–10 · Documentation, training, audit-readiness

Compile the documentation pack (notices, consent records, RoPA-equivalent register, DPO appointment if SDF, training records). Run an internal awareness session. Produce an audit-ready evidence pack.

Pricing in INR

Tier 1 · Standard DF

Data Fiduciary Compliance

₹4,00,000+ GST

8-week engagement
Personal data inventory
Notice / consent / rights workflow
Vendor agreement updates
Documentation pack

Tier 2 · SDF

Significant Data Fiduciary

₹8,50,000+ GST

Everything in Tier 1
DPIA framework + first DPIA
DPO designation support
Algorithmic transparency framework
14-week engagement

Tier 3 · SDF Audit

Independent Data Audit

₹3,40,000/ year + GST

Annual independent audit
Auditor report to Board
Findings and remediation plan
Required annually for SDFs

Penalties and DPB enforcement

Penalty schedule under the DPDP Act:

Breach	Maximum penalty
Failure of reasonable security safeguards	₹250 crore
Failure to notify breach	₹200 crore
Breach of additional SDF obligations	₹150 crore
Breach of children-data provisions	₹200 crore
Breach of duty by Consent Manager	₹50 crore
Breach of any other provision	₹50 crore

Penalties are imposed by the Data Protection Board after due process — show-cause notice, hearing, written order. Appeals are to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). The DPB has indicated it will take a measured initial enforcement posture but the headline figures are intended to be deterrent.

DPDP Act application by Bangalore industry vertical

The DPDP Act applies horizontally — every Data Fiduciary, regardless of industry, has the same baseline obligations. But the operational implementation differs sharply by sector, because the data flows, the volume of data principal interactions, the lawful-basis mix, and the sectoral regulatory overlay are all sector-specific.

BFSI — Banks, NBFCs, payment aggregators

RBI’s pre-existing data-protection regime (KYC norms, customer-information protection, payment-data localisation under the 2018 Payments Data Storage circular, account-aggregator framework) interacts with DPDP. Where they conflict, the more-stringent applies. Practical impact: BFSI Data Fiduciaries need a layered notice-and-consent architecture (RBI requirements + DPDP requirements), heightened security safeguards (DPDP’s "reasonable security safeguards" plus RBI’s prescriptive expectations), and breach-notification flows that satisfy CERT-In, RBI, the Data Protection Board, and (where applicable) the affected data principals on the same six-hour clock. Our BFSI engagements produce a unified compliance pack rather than four separate playbooks.

Fintech — Lending, wealth, insurtech

Lending fintechs operating under the RBI Digital Lending Guidelines have specific consent, lookalike-data-restriction, and grievance-redressal obligations that pre-date DPDP. The Account Aggregator framework (Sahamati-operated) provides a Consent Manager rail that lending fintechs increasingly rely on; the DPDP-compliant consent record is generated through the Sahamati flow. Insurtech under IRDAI guidelines has data-classification and data-retention obligations that intersect with DPDP’s retention principles. Our fintech engagements integrate the sectoral specifics rather than treating DPDP as a layer on top.

HealthTech — Telemedicine, diagnostics, consumer health apps

Health data is sensitive personal data under DPDP’s Schedule (when notified). The DISHA framework (where applicable), Telemedicine Practice Guidelines (March 2020), the National Digital Health Mission’s ABDM data-protection expectations, and the Clinical Establishments Act all interact with DPDP. Children’s data has specific additional obligations under DPDP — and pediatric / family-health applications need to design for them. Our HealthTech engagements typically result in a longer-than-average documentation pack because the regulatory overlay is dense; the implementation is correspondingly more careful.

EdTech — School, higher-ed, professional learning

Children’s data under DPDP carries enhanced protection — age-verification, verifiable parental consent, prohibition on tracking and behavioural monitoring of children, prohibition on targeted advertising. EdTech platforms serving K-12 face the most-onerous DPDP implementation in any vertical because every interaction is potentially a child-data interaction. Higher-ed and professional learning are simpler — adult-data with consent — but still need careful retention and grievance-redressal implementation. Bangalore is home to a meaningful portion of India’s EdTech industry; our engagements here typically focus on age-verification implementation and parental-consent workflow.

SaaS — B2B Data Processors and Data Fiduciary employers

B2B SaaS operates in a layered relationship — Data Processor for customer data, Data Fiduciary for employee / lead / customer-employee data. The two roles have different obligations; conflating them produces compliance gaps. Our SaaS engagements untangle the two roles, draft the Data Processing Agreement clauses for each customer, and design the obligation-allocation between the SaaS company and the customer. Cross-border-transfer disclosure is operationally significant — most SaaS architectures route data through US or EU regions for technical reasons, and customer-facing disclosure has to be precise.

Consumer apps — E-commerce, social, content, gaming

Consumer apps with high-volume data principal interaction face the largest operational implementation surface. Notice-and-consent at scale, data principal rights workflow at volume, retention-policy enforcement across many data stores, and breach-notification readiness are all volumes-driven challenges. Consumer apps are also the most-likely candidates for SDF designation; pre-emptively building SDF-grade controls is a defensible strategic move even before notification. Most large Bangalore consumer apps we engage with are operating at SDF-grade today regardless of formal notification status.

DPDP alongside SOC 2 and ISO 27001

For Bangalore companies pursuing both DPDP compliance and SOC 2 / ISO 27001 certification, the engagement design matters. Run sequentially, the cost is roughly 1.6× the bundled engagement; run concurrently, the evidence cycle is unified and the cost saving is meaningful.

The mapping: SOC 2’s Privacy TSC overlaps roughly 60% with DPDP’s Data Fiduciary obligations. ISO 27001:2022 Annex A includes A.5.34 (Privacy and protection of PII) which maps to DPDP Privacy Officer / Data Principal rights workflow. The DPIA discipline of DPDP maps to ISO 27005 risk-assessment methodology with privacy-specific extensions. The breach-notification regime under DPDP maps to ISO 27001’s incident-management Annex A controls. Designing the implementation as a single integrated programme produces a stronger control set, less duplicative documentation, and a more-defensible audit posture.

Our typical bundled engagement for a Bangalore B2C SaaS pursuing all three: 16 weeks total (versus 8 + 14 + 16 = 38 weeks sequentially), single evidence-collection cycle, single internal audit, parallel certification audits. Cost savings: ₹4–6 lakh versus separate engagements.

Children’s data — the most-onerous DPDP requirement

The DPDP Act’s treatment of children’s data is among its strictest provisions. A "child" is defined as an individual below the age of 18. Specific obligations:

Verifiable consent of the parent or lawful guardian before processing children’s data
Prohibition on tracking, behavioural monitoring, or targeted advertising directed at children
Heightened security safeguards proportionate to children’s vulnerability
Designation processes for "Significant Data Fiduciary" trigger lower thresholds where children’s data is processed at scale

The "verifiable consent" requirement is operationally the hardest. Acceptable methods include: government-ID verification of the parent (Aadhaar through DigiLocker is the canonical Indian implementation), credit-card pre-authorisation (which only an adult can complete, but raises payment-friction issues), parental-email-verification followed by document upload, and emerging biometric-based age-assurance services. For Bangalore EdTech and gaming companies serving children, designing the verifiable-consent flow is the primary DPDP compliance work.

DPB enforcement trajectory — what we expect through 2026–2027

The Data Protection Board of India is operational but has been measured in initial enforcement, focusing on systemic clarification rather than aggressive penalisation. Industry watchers expect enforcement to scale through 2026 and 2027 as the Board builds investigative capacity, the DPDP Rules are tested in practice, and high-profile cases create precedent. Sectors expected to see early enforcement attention: EdTech (children’s data), HealthTech (sensitive data), large consumer platforms (volume), and B2B Data Processors that fail to flow contractual obligations through to sub-processors.

The defensible posture is to be operationally compliant before enforcement attention, rather than after. The cost of a DPDP compliance engagement is meaningfully less than the cost of post-enforcement remediation under DPB scrutiny — and is dramatically less than the headline penalty figures in the Schedule. Most Bangalore companies that engaged us through 2025 and early 2026 did so on this defensible-posture rationale rather than under specific complaint or investigation.

DPDP terminology — a working glossary for engineering and product teams

The DPDP Act introduces a vocabulary that engineering and product teams should be operationally familiar with. Personal data is any data about an individual who is identifiable by or in relation to such data. Digital personal data is personal data in digital form. Data Principal is the individual to whom the personal data relates; for children and persons with disabilities, the lawful guardian. Data Fiduciary is the entity that determines the purpose and means of processing. Data Processor is the entity that processes data on behalf of a Data Fiduciary. Significant Data Fiduciary is a Data Fiduciary notified by the Central Government as such. Processing is collection, recording, organisation, structuring, storage, use, alignment, combination, disclosure, dissemination, restriction, erasure, or destruction. Consent Manager is a person registered with the Data Protection Board to manage consent on behalf of Data Principals. Notice is the document the Data Fiduciary provides to the Data Principal at or before processing, in clear and plain language, in English or any of the languages specified in the Eighth Schedule of the Constitution. DPIA is the Data Protection Impact Assessment required for SDFs. Cross-border transfer is the transfer of personal data outside India. The framework references should be precise — using "Data Subject" (the GDPR term) rather than "Data Principal" in DPDP context is a small marker that the operational team has not yet read the actual statute.

To start a DPDP compliance engagement, the next step is a thirty-minute scoping call. Most engagements begin within ten business days of contract signing.